Waikato DHB ransomware attack: Privacy Commissioner warns victims to consider credit freeze

Credit: Original article can be found here

Business

30 Jun, 2021 01:37 AM

“If somebody has suffered loss or considerable distress as a result of having their information included in the hack, and it can be shown that the DHB failed in its duty to take reasonable care, then the Waikato DHB could be liable,” Privacy Commissioner John Edwards says.

The ransomware-hit Waikato DHB must notify patients whose information has apparently been shared on the dark web, Privacy Commissioner John Edwards says.

And Edwards says potential victims should take steps to prevent identity theft – including requesting a free freeze on their credit rating. (Find out how here.)

“Waikato DHB must notify all individuals whose details are included in the data that has been published online, and take steps to prevent further distribution of the information,” Edwards told the Herald this afternoon.

“If somebody has suffered loss or considerable distress as a result of having their information included in the hack, and it can be shown that the DHB failed in its duty to take reasonable care, then the Waikato DHB could be liable,” Edwards added.

“There is a risk that it could result in serious harm through identity theft and malicious actors fraudulently obtaining credit.

“The Office of the Privacy Commissioner encourages anybody who is concerned about their personal information to exercise their rights under the Credit Reporting Privacy Code, by getting a credit freeze or suppression of their information, which would stop their credentials being used to open credit contracts.”

Under a recent update to the Privacy Act, Edwards can hit organisations with $10,000 penalties if they fail to follow notification requirements and other obligations under the legislation.

Earlier, IT security expert Daniel Ayers told Midday Report he had sighted the file structure of leaked patient information – without viewing personal information – and confirmed it is from the DHB.

He said the documents included correspondence, medical records, and financial data.

“I do note that some of the material in this leak does match some of the information that was previously released to media,” Ayers said.

Vice Society appear responsible

Separately, Emsisoft threat analyst Brett Callow told the Herald that a ransomware gang called “Vice Society” was responsible for the Waikato DHB attack.

The encryption used by Vice Society, “Has no weaknesses. Consequently, the only way to recover encrypted files is to restore them from backups or pay the demand,” Callow says.

Where is Vice Society based?

“New Zealand. Russia. Anywhere,” Callow says.

Like other experts inside and outside law enforcement, has no idea.

“While the [ransomware gangs] are typically believed to be based in Russia or former Soviet states, the people who use the ransomware they create to carry out the attacks could be based anywhere,” the threat analyst says.

“For example, a Canadian was arrested in connection with attacks using ‘Russian ransomware’ earlier this year. According to press reports, he was formerly an IT analyst with the Government of Canada. No doubt, he was tempted by the enormous potential for profits – which turned out to be C$27 million, in his case. I wonder how many years of government salary that equals?”

The District Health Board has refused to pay a ransom, and one month on from the initial attack is still in the process of fully restoring its systems.

The Ministry of Health and Waikato DHB have been asked for comment.